Delegar permisos sobre Security logs

En los entornos corporativos y sobre todo para los ambientes Windows es muy comun encontrar que las áreas de Auditoría cuyos usuarios no son privilegiados deseen visualizar logs de Seguridad. En Windows Server 2003 esto es una tarea algo compleja y riesgosa para lo que nos tiene acostumbrados Microsoft y deberemos utilizar el lenguaje SDDL:

CUIDADO: Este procedimiento mal implementado puede impedir el acceso y requiere de reinicio del equipo.

Delegating access to the event logs

In Windows Server® 2003, Windows Vista, and Windows Server® 2008, it is possible to customize the permissions on each event log on a computer. This capability was not available in previous versions of Windows. Some organizations may want to grant read-only access to one or more of the System event logs to some members of the IT team, such as auditors. The access control list (ACL) is stored as a Security Descriptor Definition Language (SDDL) string, in a REG_SZ value called "CustomSD" for each event log in the registry. The following procedure shows how to delegate read-only access for an event log. You will need to repeat this procedure for each event log that you wish to delegate read-only access to by changing the registry key as needed.

Caution
Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on the computer.

To delegate access to an event log using the registry

1. Open Registry Editor.
2. Navigate to the following registry path:
   HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EventLog
   You will see that there are keys available for each event log. Select the event log for which you want to delegate read-only access.
3. Add a new key with the name CustomSD to the event log you selected.
4. Add a new String value to the CustomSD key. The name of this string is not required, but it represents the access control list for the event log in the Security Descriptor Definition Language (SDDL) syntax. In this procedure this value will be referred to as SDDLACL.
5. Set the value of the SDDLACL to the following:
   O:BAG:SYD:(D;;0xf0007;;;AN)(D;;0xf0007;;;BG) (A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x5;;;SO)(A;;0x1;;;IU)(A;;0x1;;;SU) (A;;0x1;;;S-1-5-3)(A;;0x2;;;LS)(A;;0x2;;;NS)

Once you edit this value and restart the computer, the new setting will take effect. Be certain that you fully understand SDDL and the default permissions that are placed on each event log before you use this procedure. Also, be certain to test any changes thoroughly before you implement them in a production environment, because you could accidentally configure the ACLs on an event log in such a way that no one could access it.

Additional references

The following links provide additional information about event logging in Windows Server 2003 and Windows Vista:

• For more information about how to configure security for event logs in Windows Server 2003, see article 323076 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkId=100968).
• For more information about SDDL, see Security Descriptor Definition Language (http://go.microsoft.com/fwlink/?LinkId=100970).
• For more information about events in Windows Vista, see Event Viewer and Resulting Internet Communication in Windows Vista (http://go.microsoft.com/fwlink/?LinkId=100973).

Extraido de: http://technet.microsoft.com/en-us/library/cc722385(WS.10).aspx

Mas info: http://support.microsoft.com/default.aspx?scid=kb;en-us;323076